Secure your app with 2FA. Rob Allen ~ April 2017

Transcription

1 Secure your app with 2FA Rob Allen ~ April 2017

2 Your users' passwords will be leaked (It might not even be your fault)

3 Passwords have leaked from Sony Zappos JP Morgan Gap Facebook Twitter ebay AT&T Adobe Target Blizzard TalkTalk Evernote Yahoo! Steam Ubisoft Kickstarter Home Depot TK Maxx Vodafone HP AOL Citigroup WorldPay Gmail last.fm Apple SnapChat Ubuntu D&B Formspring Betfair

4 It will take 14 minutes* to crack one of your users' passwords *English word, stored using bcrypt

5 Two-factor authentication protects your users

6 What is 2FA?

7 Implementation on a website

8 Implementation on a website

9 How do we send the code?

10 Used by Steam Wide adoption (everyone has an address!) Likely failures: delivery problems, blocking, spam etc Usually slow! Same system as recover password

11 SMS Used by Twitter & LinkedIn Wide adoption But, SMS can be delayed & could cost to receive

12 Physical device Used by banks, YubiKey, Blizzard, etc Small, long battery life But: expensive

13 App Easy to use No Internet or cellular connection required App is free and trusted

14 One Time Password algorithms

15 HOTP HMAC-based One-Time Password algorithm Computed from shared secret and counter New code each time you press the button RFC 4226

16 HOTP algorithm: step 1

17 HOTP algorithm: step 2

18 HOTP algorithm: step 3

19 HOTP in PHP 1 function hotp($secret, $counter) 2 { 3 $bin_counter = pack('j*', $counter); 4 $hash = hash_hmac('sha1', $bin_counter, $secret, true); 5 6 $offset = ord($hash[19]) & 0xf; 7 8 $bin_code = 9 ((ord($hash[$offset+0]) & 0x7f) << 24 ) 10 ((ord($hash[$offset+1]) & 0xff) << 16 ) 11 ((ord($hash[$offset+2]) & 0xff) << 8 ) 12 (ord($hash[$offset+3]) & 0xff); return $bin_code % pow(10, 6); 15 }

20 Validation process If the user's code matches, then increment counter by 1 If the user's code does not match, then look-ahead a little Resync if can't find in look-ahead: 1. Ask the user for two consecutive codes 2. Look ahead further from last known counter until the 2 codes are found 3. Limit look-ahead to minimise attack area. e.g. 400

21 TOTP Time-based One-Time Password algorithm Computed from shared secret and current time Increases in 30 second intervals RFC 6238

22 TOTP Algorithm

23 TOTP in PHP 1 function totp($secret) 2 { 3 $counter = floor(time() / 30); 4 5 return hotp($secret, $counter); 6 }

24 Implementing 2FA in your application

25 Use a library! $composer require sonata-project/google-authenticator Usage: $g = new \Google\Authenticator\GoogleAuthenticator(); // create new secret and QR code $secret = $g->generatesecret(); $qrcode = $g->geturl('rob', 'akrabat.com', $secret); // validation of code $g->checkcode($secret, $_POST['code']);

26 Things to do 1. Registration of Authenticator 2. Check 2FA TOTP code during login

27 Set up 2FA

28 Set up 2FA

29 Set up 2FA

30 Set up 2FA

31 Set up 2FA

32 Set up 2FA: code 1 $app->get('/setup2fa', function () use ($app) { 2 $user = $_SESSION['user']; 3 4 $g = new \Google\Authenticator\GoogleAuthenticator(); 5 $secret = $g->generatesecret(); 6 $qrcodeurl = $g->geturl($user->getusername(), 7 '2fa.dev', $secret); 8 9 $app->flash('secret', $secret); 10 $app->render('setup2fa.twig', [ 11 'user' => $_SESSION['user'], 12 'secret' => $secret, 13 'qrcodeurl' => $qrcodeurl, 14 ]); 15 });

33 Set up 2FA: template 1 <h1>set up 2FA</h1> 2 3 <p>scan this code into Google Authenticator:</p> 4 <img src="{{ qrcodeurl }}"> 5 <p>or enter this code: <tt>{{ secret }}</tt></p> 6 7 <p>enter code from Google Authenticator to confirm:</p> 8 <form method="post" action="/setup2fa"> 9 <div class="form-group"> 10 <input name="code" maxlength="6"> 11 <button type="submit">confirm</button> 12 </div> 13 </form>

34 Set up 2FA

35 Set up 2FA: process submission 1 $app->post('/setup2fa', function () use ($app) { 2 $secret = $app->environment['slim.flash']['secret']; 3 $code = $app->request->post('code'); 4 5 $g = new \Google\Authenticator\GoogleAuthenticator(); 6 if ($g->checkcode($secret, $code)) { 7 /* successful registration: store secret into user's row in db */ 8 9 $app->redirect('/'); 10 } $app->flash('error', 'Failed to confirm code'); 13 $app->redirect('/setup2fa'); 14 });

36 Logging in

37 Logging in

38 Logging in

39 Logging in

40 Logging in

41 Login: 2FA code form 1 <h1>2fa authentication</h1> 2 3 <p>enter the code from Google Authenticator to complete login:</p> 4 5 <form method="post" action="/auth2fa"> 6 <div> 7 <input name="code" maxlength="6"> 8 <button type="submit">submit</button> 9 </div> 10 </form>

42 2FA code

43 Login: process 2FA code 1 $app->post('/auth2fa', function () use ($app) { 2 $user = $_SESSION['user_in_progress']; 3 $secret = $user->getsecret(); 4 $code = $app->request->post('code'); 5 6 $g = new \Google\Authenticator\GoogleAuthenticator(); 7 if ($g->checkcode($secret, $code)) { 8 /* code is valid! */ 9 $_SESSION['user'] = $_SESSION['user_in_progress']; $app->redirect('/'); 12 } $app->flash('error', 'Failed to confirm code'); 15 $app->redirect('/auth2fa'); 16 });

44 Round out solution Prevent brute force attacks Consider adding a "remember this browser" feature Need a solution for a lost/new phone Example project:

45 Hardware OTP: YubiKey

46 Operation 1. Insert YubiKey into USB slot 2. Select input field on form 3. Press button to fill in OTP field 4. Server validates OTP with YubiCloud service

47 Yubikey's OTP

48 Coding it $composer require enygma/yubikey Usage: $v = new \Yubikey\Validate($apiKey, $clientid); $response = $v->check($_post['yubikey_code']); if ($response->success() === true) { // allow into website }

49 That's all there is to it!

50 Thank you! Rob Allen -